State Department Chief Information Officer (CIO) Fernando Burbano,
told members of Congress January 27 that the results of Y2K
remediation were positive and many valuable lessons were learned. He
said, "The Department of State, along with the rest of the federal
government, showed just how powerful and effective we can be when we
are singularly focused and committed to solving a problem, and are
provided the necessary resources to get the job done."

Addressing the issue of whether too much money was spent on preparing
for Y2K, Burbano said, "We should be careful not to confuse the lack
of catastrophic disruptions with unnecessary preparations by the
federal government."

Y2K-related computer failures are minimal, thus far, he said largely
because of the, "United States' government's international outreach
and awareness campaign led by the Department of State, Department of
Defense, and the President's Council on the Year 2000 Conversion, and
in coordination with the United Nations and the World Bank."

Even though no major glitches disrupted vital services, preparing for
Y2K forced governments and businesses to realize the importance of
their computer systems and cooperation with other businesses and
organizations, Burbano said.

Burbano attributed the success of the government's Y2K effort to two
primary factors: the participation of congressional oversight
organizations and the availability of supplemental funding to pay for
the fixes.

Good morning Mr. Chairman, Madame Chairwoman, and distinguished
members of the Subcommittee on Government Management, Information, and
Technology, and members of the Subcommittee on Technology. Since my
oral testimony is limited to 5 minutes, my written testimony includes
more detail.

As Chairman of the CIO Council's Subcommittee on Critical
Infrastructure Protection I am pleased to have this opportunity to
discuss how lessons learned and products and processes developed in
support of Y2K can be leveraged into our ongoing critical
infrastructure security efforts, and challenges facing federal
agencies in implementing security measures. As well, in my role as
Chief Information officer of the Department of State, I would like to
thank you for providing me this opportunity to talk about the results
and continuing impacts of the Department's successful Year 2000
preparation efforts. The Department of State, along with the rest of
the federal government, showed just how powerful and effective we can
be when we are singularly focused and committed to solving a problem,
and are provided the necessary resources to get the job done.

First, let me quickly address the cost of preparing for Y2K. The
question is, "Did we spend too much?" The answer is very simple:
absolutely not. We should be careful not to confuse the lack of
catastrophic disruptions with unnecessary preparations by the federal
government.

Now, moving on to the actual results of the Y2K rollover and its
impacts to the global community. In general, there were few, and only
minor Y2K failures reported internationally, and none that impacted
the safety of American citizens worldwide. I believe this global
success is a direct result of the United States government's
international outreach and awareness campaign led by the Department of
State, Department of Defense, and the President's Council on the Year
2000 Conversion, and in coordination with the United Nations and World
Bank. Embassies representing the United States' presence in over 160
countries around the world played a key role in monitoring and
reporting events in their host countries and post facilities to our
Y2K Task Force convened in State's Operations Center. Additionally,
internal State Department systems faired exceptionally well through
the rollover experiencing no significant failures among our mission
critical, critical, and routine systems.

As you are well aware, many of the products and processes developed to
address Y2K problems can be applied to future challenges and serve as
the foundation for managing issues which cross agency and
public/private boundaries, including Critical Infrastructure
Protection. In fact, much of the work already done is a prerequisite
for PDD-63 (Presidential Decision Directive), Critical Infrastructure
Protection, Clinger-Cohen (Act) and other Government Performance and
Results Act initiatives.

Specifically, Y2K preparation forced government agencies to take a
close look at its information technology (IT) applications and produce
a complete prioritized inventory. This is a critical first step to
identifying and refining the Mission Essential Infrastructure as
required by PDD-63.

The Y2K effort produced program management methodologies which were
applied across all government agencies and included Executive and
Congressional oversight, Assistant Secretary level management, and
repeatable standardized measures and processes. This management
structure can also be applied to Critical Infrastructure Protection.
All elements of the federal government reviewed and developed
contingency plans for critical business processes. The development of
these contingency plans resulted in a greater understanding by senior
policy managers of the dependency of business processes on IT systems.
Additionally, these plans are durable beyond Y2K and establish the
foundation for all future contingency operations planning.

For the Y2K rollover period, the government developed a robust global
reporting structure which can be leveraged into a mechanism for
monitoring threats against critical infrastructure elements. For
example, within the Department of State, we have developed a web-
based, geographic information system to collect cyber-threat
information from all overseas posts. This tool could serve as a pilot
system for other agencies to collect and analyze cyber-threat data.

Finally, Y2K preparation efforts increased the level of interagency
cooperation and coordination between the public and private sectors.
This same working level teamwork will be required to effectively
implement Critical Infrastructure Protection plans.

There are two areas which I believe allowed the federal government to
successfully overcome widespread Y2K problems in the face of an
immovable, tight deadline. First, continued participation by key
congressional oversight organizations provided federal Y2K programs
the authority needed to push agency resources to their limits. Second,
the ability of federal Y2K programs to rapidly obtain, and more
importantly retain, adequate separate supplemental funding
specifically designated for Y2K allowed each agency to acquire the
resources necessary to achieve time sensitive objectives. This ability
of federal agencies to have access to a congressionally managed, yet
continuous separate supplemental funding stream designated
specifically for the Y2K effort, allowed federal CIOs and Y2K Program
Managers the ability to acquire and retain qualified resources in the
needed quantity.

Critical Infrastructure Protection programs require the same approach.
Involvement by Congress and other oversight organizations to raise the
level of awareness and visibility throughout the federal community and
oversee CIP implementation progress in support of national security
goals is vital, and this activity is already underway. But just as
important to me and my colleagues throughout government is access to
funding which allows each of us to begin developing and implementing
our plans in accordance with PDD-63 and other Critical Infrastructure
Protection guidance and statutes.

One of the key obstacles preventing agencies from immediately pursuing
CIP initiatives is the lack of current funding for these projects. Due
to the federal government's budget cycle, forecasting for future work
is done two years prior to the budget year. Therefore, as new
requirements are levied, current agency budgets do not reflect
changing priorities and requirements, such as the new Critical
Infrastructure Protection implementation initiative. In light of this,
there are numerous events that have prevented agencies from adequately
addressing current CIP implementation requirements in their FY2000-1
budgets. First, the unprecedented and unpredicted growth of internet
use and technologies over the last two years. Second, the
corresponding collateral growth of the cyber underworld during this
same period. Third, the extent to which our daily business relies on
internet-based systems, and the fundamental shift in business tools to
be used in a web-based environment. And finally, expanding CIP
requirements on federal agencies, including the recent Critical
Infrastructure Protection National Plan and its 10 Programs, some of
which require immediate implementation. These are just some of the
reasons why federal agencies are poorly positioned to successfully
implement Critical Infrastructure Protection programs to address the
challenges posed by the ever-growing cyber underworld, not to mention
to be in compliance with Executive guidance. Although we of the CIO
Council fully understand fiscal constraints, reallocation of just a
fraction of the current surplus would be a solid investment for the
protection of the federal government's critical infrastructure.

In closing, it is my belief, and the belief of members of my
subcommittee and CIOs across the federal government, that in order for
National CIP initiatives to be fully successful, continued
congressional support, as well as the ability to get access to
specific CIP and security-related funding, is vital. I cannot emphasis
enough that without Congressionally backed support, including adequate
separate supplemental funding, we of the subcommittee on Critical
Infrastructure Protection believe the federal government will
significantly fall short of national Critical Infrastructure
Protection goals.

Thank you.

(end text)

(Distributed by the Office of International Information Programs, U.S.
Department of State)